Search found 243 matches

We have added more details, so that it is more clear: https://blog.mikrotik.com/security/winbox-vulnerability.html thanks, it is much more clear now. Except that the 6.28 version is vulnerable too . I am able to read usernames/passwords from boards with this version using winbox vulnerability explo...

what you wrote above may look for someone that 6.40.8 (bugfix) is not secure too. I would like you mention that this bugfix release is secure too (blog needs correction too but it mention that 6.40.8 is OK at least).

Hi, Google revealed for me this github repo (5 month old files): https://github.com/0ki/mikrotik-tools/blob/master/exploit-backup/exploit_full.sh There are some scripts which shows how to enable devel mode on several ROS version exploiting a backup file. In short the attacker must know username/pass...

recently I downgraded RB433AH from 6.42.1 to 6.40.8 and I had to bring it back to live using Netinstall. Since I had no access via serial line I have no additional information. What happened to you could explain the problem too IMHO.

For secure connection use api-ssl implementing SSL in our utilities is a problem (time etc). Since the API is proprietary protocol the login phase could be easily changed to not send plain text password and still allow you in the RouterOS to store only hashed passwords. Just make the 'challenge' ha...

Hi, known exploit for Chimay-Red needs to known some info about the device architecture and ROS version to prepare attack against web server code (where to place code on stack which will run the shell). If the attacker knows the version of ROS it can download proper ROS package, extract WEB server c...

That is basically what you have when you set the "allowed from" in the service. At least when you can confine your internal networks using IP subnet declarations. Also, you can match on in-interface in firewall filters. So you don't need to match on source IP when you don't like to. No, it isn't th...

On Czech forum is user which have winbox in IP services allowed only for his private range and is hacked :-( https://ispforum.cz/viewtopic.php?p=228863#p228863 It's possible the attack came from his LAN Hi Normis, the Czech case contained the same IP in the log like the others I have seen yet. The ...

Does the Fix package exist only for 6.35? Do we have to upgrade/downgrade to 6.35? I think the last batch of these board had higher version of ROS than the 6.35 (but maybe someone in our comapny upgraded them before they landed on my desk)

ROS on newer 922 boards is not able to detect wireless. Mikrotik created a special NPK package to fix it (perhaps to set the chipset to known state ?). New ROses will conta8in the fix too.
All the boards with the problem I have seen yet have serial number starting with 7F240 ...

barkas, read with attention whole topic, try to get a basic knowledge in IP ... Sorry I have not a time to teaching every forum reader ... dada, what exactly configuration option can help me to turn on "correct check sum calculation for UDPLite" on the MT box ? :-) I asked for NAT CFG just because ...

Hi, I had the impression that there is internet cloud between your server and the MT box which could do something with the packet too... if you have proofs that the MT box is causing the problem you should contact support@mikrotik.com with details. I have no personal experience with UDPLite. And I a...

dada, Yes , the MT box threats the packets as usual UDP packets and it is IMHO ok. RTFM, for UDP packets check sum must be recalculated, as well for IP packets and so on ... of course. But when cheksum offloading is active the NIC does this and operating system IP stack doesn't bother with updating...

I am assuming you captured the packet on outgoing interface on the MT which is doing the NAT. In the case if the network card does support IP checksum offloading the operating system will not spend CPU cycles on updating the checksum because it knows the card will calculate it during packet transmis...

You are right, if connection tracking is enabled then you will never be able to find fragmented packet because it get assembly at door. How other company handling this kind of attack? I hope the fragments you want to eliminate are part of some DDoS attack. For example if the attack is made by DNS p...

Okay! Enable IP Fragment option in "Prerouting" chain to mark fragmented packet but its not matching any single packet. If i disable check mark "IP fragment" it start matching packet.. As you already mentioned the problem is probably that ROS does the fragment reassembly automatically when connecti...

IP scan probably doesn't relay just only on ICMP responces. It probably looks to ARP table too. If there is a device which uses IP stack but doesn't want to reply to ICMP echo request it must answer to ARP query(in other case it has no IP connectivity and it cannot communucate using IPv4 at all ). I...

Hi, Okay so can we go with this, http://www.cisco.com/c/en/us/support/switches/sg300-28sfp-28-port-gigabit-sfp-managed-switch/model.html ? but it says, SMALL BUSINESS :( Dont know why! because it is an entry level switch. I have no experiences with them. I would go with 2960-x with LAN Base licence...

Hi, 5gbps ? I wouldn't not think about CRS in such network. Use something: - better manageable. See the hell of options with strange names and meanings under Switch menu. Near no one option uses a name which is widely used in networking world. Simple things like VLANs are rather complicated here and...

We will revert change which set credentials to admin without password. Yes, please. I would like to say that I got empty password box each time I start the Winbox RC17 - even if previous session was used with manually entered password. (I am using [X] Keep password). hmm strange. After I checked "[...

We will revert change which set credentials to admin without password. Yes please. Now its very annoying. Any change to say something about my other remark? (Closing windows on disconnect...) +1 I am reposting updated list of problems/wishes I sent formerly after RC9 version was released: UI discom...

3) After multiple requests, we decided to use default admin without password if router is selected from Neighbours list. If that should not be used, then router must be saved in Managed tab. If you are changing something users are used too for long time (like this) you should add a settings which a...

Hello we wanted a script which can call our url every 10 mins and update our database with CPE RoS version and signal strength the url to call should be like http://example.com/cpe.php?mac=_WLAN_MAC&ros=_ROS_VERSION&signal=_WIFI_SIGNAL_STRENGHT in return the php will echo some commands that i want ...

Same story happens again: 6.32.2 [current] was pretty stable after being around for some weeks without too many new comments or disasters. This morning found a client that still wasn't upgraded to 6.32.2 so started the auto upgrade script and AGAIN to my surprise a new 'current' version (6.32.3) is...

Thanx dada. Have you any idea why it si happening only on new, replaced router? There maybe more reasons like different ARP table behavior on the routers - IMHO there is no way how to view all the entries in the cache on ROS (not the valid ones only). If the traffic is directed to valid MAC (i.e. e...

Hi, if you see unicast packets on other than expected interfaces then it means that the switch doesn't know the destination MAC address (so it floods it to all interfaces except the one the packet arrived through)). It can easily happen that gateway's ARP record's lives longer time than the MAC in s...

Hi, IMHO the ROS doesn't show incomplete ARP entries (i.e. the cases when ARP query was not replied by remote host or is not considered valid for some other reason like timeout etc) so it is still possible that you have larger network assigned to some interface of the router and some kind of scan is...

Well. the default MTU of all the path is 1500 (I mean the path trough my carrier to my remote router) The MTU of all my phisical interfaces is 1500.. but when I create the tunnel, the tunnel the default MTU of the tunnel is 1476 (since GRE is 24byte header) 1476+1500 is perfect.. but if the device ...

Hello. so a plain GRE tunnel (no encryption) over a fiber link (MTU1500) between a central CCR and a remote RB2011 or 1100AHx2. what are the expected performance? on a central HQ I plan to use a CCR 1009 and have 3 tunnels via fiber link to three remote sites: a 10mb, b 30mb, c 300mb full duplex. c...

Thanks, dada! Seems like this is the issue indeed. I've checked the hosts toward which traffic is sent and they are indeed the ones that recently gone offline - ARP entry still exists in the router, but no such MAC address in bridge hosts table. What are my possibilities to prevent such flooding to...

Hi folks, Most of the time everything works fine, but recently this problem started happening time to time: all bridge ports start to transmit exactly the same traffic (~6-8mbps) saturating the ether interface (that VLAN's belong to). I then disable few bridge ports for a couple seconds and everyth...

Is it possible to add one button on the left hand main menu; "close all" At times there are so many windows open you want to start with a new clean empty main window. Restart Winbox with a new Session (or session <none>) Normis, you showed again typical behavior of lazy developer. I met it several ...

Hi, I think ROS is innocent here. I don't know how is the server connected to the routerboard but proably you should check your server settings. The default values for some IP stack features IMHO can cause what you see. I think you should try to check/change values for arp_filter and arp_announce (a...